On my dedicated server I built a tiny app that squeezes all connections into 1, and at my local system, I turn it back into multiple connections again, and make it act like regular sockets that connect, perform I/O and disconnect.

The picture below (click for a bigger version) should clearify it a bit:

In these places I can't modify NAT tables: - at home - at work - at school

So just having a router in front doesn't solve it.

At school I can't even host a service on my LAN address, so the private server would be bound to 127.0.0.1 in this case, and still be accessible by my peers.I'm doing Computer Science, and it's a bit 'funny' nobody can connect to my local services

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

if your tunnel is like 8080 localhost:8080 -> then you can connect to localhost:8080 on your computer at school and data though that will end up at the other end of the tunnel(your home server/pc) reguardless of what's inbetween.

haven't tested the twowayness of the tunnel eg if you make your home pc connect on the port you specified. Then again I can't think of a good usecase where I would want my home computer connect to my pc at school/work.

Anyway the 8080 to localhost:8080 is actually going over port 22 I think, I should know I gues but come to think of it I'm pretty sure since some students also use it to circumvent the WOW-ports being blocked. I just never gave it too much though I gues.

The benefit of SSH tunneling is you can do things with programs like Putty to set local forwarding to remote addresses.

So you can set up a tunnel to port 6667 of irc.freenode.net (for example) and have port 6000 on localhost forward so you simply connect to localhost:6000 on your machine and it uses the SSH tunnel to push through (granting the machine you are SSH'ing to has the ability to connect to that port and hostname). I have to do this at work since they block practically everything...fortunately not SSH though.

=> To my understanding, each end-user has to run this SSH Client, to connect to the service which is not publicly available. (correct?)

My approach - config The Server to listen on localhost:any_port for incoming tunnel (The Client), listen on localhost:any_port for end-users - config The Client to connect to tunnel (The Server), and specify the 'real service' (any_host:any_port, not only localhost!)

=> End-user doesn't have to run anything, to connect to the service which is not publicly available: connect to hostname:port (The Server)

Please correct me if I'm wrong

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

On my dedicated server I built a tiny app that squeezes all connections into 1, and at my local system, I turn it back into multiple connections again, and make it act like regular sockets that connect, perform I/O and disconnect.

The picture below (click for a bigger version) should clearify it a bit:

Now I can host some service on my LAN ip address, even when NAT tables can't be changed (which is not surprisingly the case here).

But ehm... does an application like this already exist?

For my game net.application I don't used to "squeeze" all TCP/UDP call-backs in one, but instead one port for one remote client to a server. I really don't imagine why you would theorically rasterize multiple clients in one connected to a public server. That sounds like a provider-like network structure. In your scheme I'd change the public server item with a ClientInterface directly connectin to your private server using FIREWALL, NAT, etc. addressing. that be much faster and easier to compile.Let's say : [Clients] <> ClientInterface <-----asynch------> RemoteServerAlgorithm (callback-loop()) <> net.Application [HOME-SERVER] or even : [Clients] <>ClientInterface <-------synch--------> RemoteServerAlgorithm [SERVER] <--asynch--> net.Application (call-back loop) [HOME] That can be depending where do you want to set up a web-server. but as a matter of fact, all clients would be much more intersted in asynchronous connection stream than having all their stuff compressed in such a one-for-all stream.

=> End-user doesn't have to run anything, to connect to the service which is not publicly available: connect to hostname:port (The Server)

Please correct me if I'm wrong

Accept for your client?

it's no different from ssh at a global point of view other then that the ssh is embedded in your application. I suppose you could just find some java implementation of a ssh-client and your in business too.

oh also please note the security issues, with allowing just anyone to set up tunnels to you server to about just everything.

Nah, the end-user (client) doesn't have to run anything to enable this tunnel.

As both approaches have *very* different definitions of Server and Client, I'll rephrase my architecture a bit:

FrontendServer: This is a server that is accesible from anywhereBackendServer: This is a server that is NOT accessible from anywhereRealService: Running on somewhere NOT publicly accessible, yet accessible from the BackendServer

The BackendServer connects to the FrontendServer (this will be the tunnel).Any incoming sockets at the FrontendServer are sent through the tunnel, end up at the BackendServer, and connect to the RealService.

So clients connect to the FrontendServer, and for them it feels like they are doing I/O with the RealService.

Well, it's clear now what the differences are, and to be honest, I think my solution is both more secure, and less intrusive, as the client cannot know it's being tunneled.

Anyway, I learned a lot, and used my app at work successfully now. Thanks for your comments and explainations!

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

I don't get one thing, if you have a computer (server) behind router, the router must forward the traffic on some port to the computer. Why not just use that port and connect to router (that will forward data to server) directly?

I cannot do port-forwarding, so I'm using a completely different computer (that either has has port-forwarding, or has a public IP), to make my own computer with inaccessible non-port-forwarding-supporting router, able to host services publicly available.

If it sounds vague, read some atricles describing why there are SSH tunnels and what-not.

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

Yes I've read it, but I did fast and did not catch all the stuff. Well you explained it now, you're using a public computer that has port forwarding or some kind of public access and it's connected to backend server with no port forwarding and no public access.

java-gaming.org is not responsible for the content posted by its members, including references to external websites,
and other references that may or may not have a relation with our primarily
gaming and game production oriented community.
inquiries and complaints can be sent via email to the info‑account of the
company managing the website of java‑gaming.org